Skip to content

Commit 57956ce

Browse files
wangwangpingwangwangping
authored
Merge pull request #1 from wangwangping/alert-autofix-86
Fix code scanning alert no. 86: Server-side request forgery
2 parents 4711f4e + 9465a6a commit 57956ce

File tree

2 files changed

+18
-0
lines changed

2 files changed

+18
-0
lines changed

src/main/java/org/joychou/controller/SSRF.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
11
package org.joychou.controller;
2+
import java.util.Arrays;
3+
import java.util.List;
24

35
import cn.hutool.http.HttpUtil;
46
import org.joychou.security.SecurityUtil;

src/main/java/org/joychou/util/HttpUtils.java

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,19 @@
3232
* @author JoyChou 2020-04-06
3333
*/
3434
public class HttpUtils {
35+
private static final List<String> ALLOWED_URLS = Arrays.asList(
36+
"http://example.com",
37+
"http://another-allowed-url.com"
38+
);
39+
40+
private static boolean isValidUrl(String url) {
41+
try {
42+
URI uri = new URI(url);
43+
return ALLOWED_URLS.contains(uri.getScheme() + "://" + uri.getHost());
44+
} catch (URISyntaxException e) {
45+
return false;
46+
}
47+
}
3548

3649
private final static Logger logger = LoggerFactory.getLogger(HttpUtils.class);
3750

@@ -203,6 +216,9 @@ public static void IOUtils(String url) {
203216

204217

205218
public static String HttpAsyncClients(String url) {
219+
if (!isValidUrl(url)) {
220+
return "Invalid URL";
221+
}
206222
CloseableHttpAsyncClient httpclient = HttpAsyncClients.createDefault();
207223
try {
208224
httpclient.start();

0 commit comments

Comments
 (0)